README.md

Yii Framework - Access Control Filter

This Yii Framework extension is used to extend standard abilities of build-in Access Control Filter. It is fully compatible with native access control filter, support all access rules and do not require it's changing upon setup.

Resource Access Rule Term

Time to time we need to restrict user access to specified models. E.g. user could manage only his own products or
delete only his own comments etc.

Each time for such an action we use something like:

if (Yii::app->user->hasAccessTo($model)) {..}
// or
if ($model->user_id == Yii::app()->user->id) {..}

To prevent code duplication and perform access control more clearly and declaratively, we implemented 'resource' term.

We assume that model id would be placed in request var ($_GET['id'] or $_POST['ProductForm']['id']) and one of model attributes/methods will declare ownership.

Params

model - specify resource model. It can be an object (Comment::model), or class name ('Comment'), or empty/not-defined.
In the last case, model class will be taken from controller class: modelClass = str_replace('Controller', '', controllerClass).

Access Control Events Handling

You can also handle access control filtering results using events. Extension provide 2 events: onAfterAccessFilterFail and onAfterAccessFilterSuccess.
It can be useful when you want to prevent '403 Access denied' exception and use redirect instead.